There are countless resources on the Internet about GitHub Actions and Terraform. My two favorites so far are Hashicorp's tutorial [Automate Terraform with GitHub Actions](Automate Terraform with GitHub Actions) and our own Friday Deploy! Integrating Terraform into your GitHub Actions with HashiCorp video with some friends from Hashicorp. I hear you asking "so then why creating yet another resource"? Glad you ask!
First of all, this is a GitHub repo. It means you can fork it and start playing with it right away. A quick fork is always faster than scrambling with copypasta. It's also an alternative way of using both GitHub and Terraform as it does not use Terraform Cloud. Last, I wanted to also highlight other capabilities such as Dependabot and Advanced Security in the context of Terraform.
We have a simple Terraform file, main.tf
, with its variables being stored in production.tfvars
. Our Deploy with approval
GitHub Actions workflow (in .github/workflows/deploy.yml
) will take care of executing it with two jobs. The first job will compute the plan and store it as an artifact. The second job will wait for you to review the plan and then execute it.
The terraform plan is computed and saved in ~/terraform-output/plan
. As this plan is not human readable, we also save it to a file, using the stdout
output of the plan
step. This is possible because the hashicorp/setup-terraform
action has the terraform_wrapper
property enabled.
- name: Terraform Plan
id: plan
run: |
mkdir ~/terraform-output
terraform plan -no-color -out ~/terraform-output/plan -var-file="production.tfvars"
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID}}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
- name: Log plan as plain text
run: |
echo "${{ steps.plan.outputs.stdout }}" > ~/terraform-output/plan.txt
The module referenced from main.tf
comes from a private repository. We want to be able to use it while staying away from Personal Access Tokens and changing URLs of each module to include it.
module "remote_child" {
source = "git::https://github.com/octodemo/OctoTerraform-Module.git//modules?ref=main"
latest-ubuntu-id = "${data.aws_ami.latest-ubuntu.id}"
}
First we need to follow the steps at peter-murray/workflow-application-token-action and store the APPLICATION_ID
and APPLICATION_PRIVATE_KEY
as secrets (don't commit the private key file in your repo, just copy/paste its content as a secret). Make sure you give the application the Contents
repository permission and install it on all your module repositories.
We then use the action in a distinct get_workflow_token
job to retrive a token. Note the outputs
section, so that we can share the token with the terraform-plan
and terraform-apply
jobs.
get_workflow_token:
runs-on: ubuntu-latest
outputs:
token: ${{ steps.get_token.outputs.token }}
steps:
- name: Get Token
id: get_token
uses: peter-murray/workflow-application-token-action@v1
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
The terraform-plan
and terraform-apply
jobs have to reference the get_workflow_token
job in the needs
section in order to access its token
output. We then use the fusion-engineering/setup-git-credentials action to set the credentials with this token so that Terraform has the permission to clone the child module repository.
terraform-apply:
runs-on: ubuntu-latest
environment:
production
needs:
- get_workflow_token
- terraform-plan
steps:
- uses: fusion-engineering/setup-git-credentials@v2
with:
credentials: https://foo:{{needs.get_workflow_token.outputs.token}}@github.com
- name: Checkout
uses: actions/checkout@v2
....
TFSec...
Dependabot...